typing on a computer
, , ,

Uber Hack: Best Practices for Multi-Factor Authentication (MFA)

Update: New reports indicate that Uber has suffered a new security breach after a threat actor leaked employee addresses, corporate reports, and IT asset information. It data was stolen from a third-party vendor that Uber utilizes,  Teqtivity, who reported the breach on Monday, Dec. 12, 2022. Uber uses Teqtivity for asset management and tracking services. 

According to BleepingComputer, a user with the handle "UberLeaks" began sharing the data on a hacking forum on Saturday, Dec. 10, 2022. The leak is believed to have impacted almost 80,000 employees of the company. 

Teqtivity is still investigating the breach, but Uber confirmed with BleepingComputer that it hasn't seen any malicious access to Uber's internal systems. 

For more information on how to protect your business from similar threats, click here to learn more about Tech Head's Managed IT services.  


On September 19, 2022, technology giant Uber announced it had been the victim of a significant data breach. After compromising an employee account, the attacker was able to gain access to critical internal systems where the company stored sensitive customer data. 

This breach marked a continuation in a pattern of attacks against major U.S. corporations, with companies including Meta, T-Mobile, and Equifax all suffering major breaches in the past few years. While each attack featured slightly different tactics, techniques, and procedures, they each represent a learning opportunity for security leaders across the industry. 

These businesses – among the world’s largest, most sophisticated technology companies – have advanced security infrastructures and teams of full-time cybersecurity professionals dedicated to keeping their systems secure. If they can fall victim to a data breach, any business can––including yours. That’s why it’s so crucial for security professionals to dissect these attacks, learn from others’ failings, and update your business’s security protocols accordingly. 

In this briefing, we’ll explore what happened in the Uber hack and share best practices for Multi-Factor Authentication (MFA) that your business should adopt to minimize the chances of your business suffering a similar data breach. 

Tech Heads is a managed security service provider dedicated to keeping your business one step ahead of potential threats. Our managed cybersecurity service is purpose-built to meet industry-standard cybersecurity controls, affording you access to sophisticated security tools, no matter the size of your business. Contact us today to learn more.

Uber Hack: What Happened?

Uber’s system was breached by an external hacker, who although reportedly affiliated with hacking group Lapsus$, seemingly acted alone. While all the details of the attack are not fully public, Uber’s security team published a brief update on the attack. It seems that the hacker was able to obtain the login credentials of the Uber contractor on the dark web, most likely after the contractor’s device had been infected with malware. 

The attacker repeatedly attempted to log in to Uber’s systems with the contractor's login credentials. Uber had Multi-Factor Authentication in place and each attempt to log in triggered an MFA login approval request, which was initially successful in blocking access. 

The attacker continued with attempts to log in over and over, resulting in the contractor receiving a rush of push notifications. From there, the hacker contacted the contractor, allegedly posing as a member of Uber’s internal security team. They advised the contractor that the only way to make the notifications stop was to accept one of the MFA approval requests. Unaware of the security ramifications of this, the contractor did as the attacker instructed.  

After this initial network breach, the attacker was able to compromise several employee accounts, reportedly gaining access to confidential systems including AWS, G Suite, and elements of Uber’s codebase. They also announced their hack on a company-wide Slack channel. 

This type of attack is known as a Multi-Factor Authentication Fatigue attack and has become increasingly common in recent months. In 2022 alone, the same group that hacked Uber also breached Samsung, Cisco, Nvidia, and Okta. 

The dangers are there for all to see, but what specific lessons can security practitioners learn from this event? Let’s break down some of the key takeaways.

Learnings from the Uber Hack: Best Practices for Multi-Factor Authentication

It can be easy to blame employees when attacks like this occur, but the reality is that your internal security processes and employee education programs have failed. Simply having an MFA program in place is not enough––employees need to understand the purpose it serves, and know why receiving dozens of prompts to verify a sign-on represents a red flag.

Here are four key lessons security professionals should bear in mind as they consider how MFA is used within their organizations:

Educate Employees on MFA Fatigue Attacks

Practically every security awareness training program contains education on concepts like phishing and social engineering, but today, few feature modules that cover MFA fatigue attacks. 

If your employees aren’t aware of the potential danger of these attacks and aren’t equipped to spot the warning signs, it’s all too easy for them to fall prey to the attacker’s deception. Consider updating your employee cybersecurity training to educate employees on the indicators of MFA attacks. 

Upgrade Your MFA System

There are various categories of Multi-Factor Authentication systems––some just require users to tap a push notification to verify their login, while others require users to open an authenticator app or enter a code that’s texted to them. 

During the initial adoption of MFA systems, many businesses opted for solutions that had as little an impact on the employee experience as possible. In other words, that means businesses focused on making the MFA sign-in process easy for employees. An unintended consequence of this is that frictionless employee MFA experiences, such as requiring employees to tap on a push notification to verify a sign-in request, are easy for attackers to exploit. 

Consider upgrading your organization’s MFA system to require employees to use a proprietary MFA code when signing in. This additional step makes it significantly more challenging for attackers to breach your system. 

Consider Adopting Security Keys

For businesses that manage particularly sensitive data, hard keys are an additional MFA option that provides a more robust layer of security. These devices connect to employees’ devices and provide encrypted authentication. 

These are significantly harder for attackers to breach, and have been adopted by companies including Google and Cloudflare. Of course, this approach is more expensive than software-based solutions, but if your business handles highly confidential data, security keys may well be an investment worth making.

Conduct Dark Web Scans

It’s been speculated that the Uber hacker originally obtained the employee’s login credentials from the dark web––an Internet underworld frequented by anonymous hackers. At any given moment, employee credentials for your business could be for sale on the dark web. 

This underlines the importance of regular dark web scans to any cybersecurity strategy. By conducting dark web scans, businesses can identify any employee credentials that have been breached and take steps to remedy the situation before their systems are compromised by external attackers. 

Additional Lessons from the Uber Hack

While Uber’s failings in MFA were undoubtedly a contributing factor to the attack, there were additional security concerns too. In many organizations, repeated attempts from an external device to log into secure company networks would be flagged by an automated managed detection and response platform, alerting security teams to a potential attack. 

The attacker was also able to gain access to several highly-confidential internal systems, highlighting the importance of access management. Adopting the principle of least privilege restricts employees from only being able to access systems that are necessary for them to do their job, safeguarding access to more sensitive information. 

Partner with Tech Heads: A Trusted Cybersecurity Vendor

New threats will emerge as attackers continue to adopt new attack vectors. In this constantly evolving cybersecurity landscape, all companies must take measures to safeguard their proprietary data and systems, not just large corporations. 

While attacks on Small and Medium Businesses (SMBs) might not end up in the headlines, they occur much more frequently than you might think. In 2021, 55% of SMBs suffered a cyberattack, and the costs of a security breach can be severe

But not every SMB has the internal security team required to build a robust cybersecurity infrastructure. That’s where cybersecurity firms like Tech Heads step in. With a team of more than 25 cybersecurity experts and a proven track record of defending SMBs against cyber attacks, Tech Heads is ready to serve as your outsourced security team. 

To learn more about protecting your business against hacks, contact us today.